Home
Managing application risk
Follow this workflow to manage application security risks in your organization.
Step 5: Measuring progress and demonstrating compliance
Learn how to measure progress and demonstrate compliance.
Demonstrating compliance
Learn how to demonstrate compliance.
Industry standard reports
Learn about Industry standard report.
NERC Cyber Security Standards report
This report displays NERC Cyber Security Standards issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.

Managing application risk
Follow this workflow to manage application security risks in your organization.
- Step 1: Creating an application inventory
  Learn how to create an application inventory.
- Step 2: Testing applications for vulnerabilities
  Learn how to test vulnerabilities identified in an application.
- Step 3: Determining risks and prioritizing vulnerabilities
  Learn how to determine risks and prioritize vulnerabilities identified in an application.
- Step 4: Remediating risks
  Learn how to remediate risks identified in an application.
- Step 5: Measuring progress and demonstrating compliance
  Learn how to measure progress and demonstrate compliance.
  - Measuring progress
    Learn how to track various metrics and trends of the applications that compose your portfolio.
  - Demonstrating compliance
    Learn how to demonstrate compliance.
    - Exporting issues as reports
      You can generate customized reports (in PDF, HTML, or XML) for issues and send them to developers, internal auditors, penetration testers, managers, and the CISO. The reporting templates in AppScan Enterprise map application security data to key government regulations and industry standards. Use the reports to document progress towards regulatory compliance goals, such as showing a reduction in the number of application vulnerabilities that are associated with compliance issues.
    - Limiting the size of a Security report
      Security reports can be large. During report generation, you might receive a warning message that the file is hundreds of pages long, or the report creation process might time out. Try the following tips to reduce report size.
    - Compliance Report
      Learn about Compliance report.
    - Industry standard reports
      Learn about Industry standard report.
      - International Standard ISO 27001 report
        This report displays existing web application vulnerabilities that violate this standard control objectives. The control objectives as listed in this standard are directly derived from and aligned with the control objectives listed in ISO 17799.
      - International Standard ISO 27002 report
        This report displays existing web application vulnerabilities that violate this standard control objectives. The control objectives as listed in this standard are directly derived from and aligned with the control objectives listed in ISO 17799.
      - NERC Cyber Security Standards report
        This report displays NERC Cyber Security Standards issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - NIST Special Publication 800-53 Revision 4 report
        This report displays NIST issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - OWASP Top 10 2013 report
        This report displays OWASP Top 10 2013 issues found on your site.
      - SANS/CWE Top 25 Most Dangerous Programming Errors v1.03 report
        This report displays SANS/CWE Top 25 Most Dangerous Programming Errors issues found on your site. It matches issue types by CWE values. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - WASC Threat Classification v2.0 report
        This report displays WASC threat classification issues found on your site.

NERC Cyber Security Standards report

This report displays NERC Cyber Security Standards issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.

Why it matters

CIPC coordinates NERC's security initiatives. The group is comprised of industry experts in the areas of cyber security, physical security, and operational security. CIPC reports to NERC's Board of Trustees. It is governed by an Executive Committee, whose members manage CIPC policy matters and provide support to CIPC's subcommittees and their working groups and task forces. The Cyber Security Standards strive to ensure that all entities responsible for the reliability of the Bulk Electric Systems in North America identify and protect Critical Cyber Assets that control or could impact the reliability of the Bulk Electric Systems.

NERC Standards CIP-002-2 through CIP-009-2 provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System. These standards recognize the differing roles of each entity in the operation of the Bulk Electric System, the criticality and vulnerability of the assets needed to manage Bulk Electric System reliability, and the risks to which they are exposed. Business and operational demands for managing and maintaining a reliable Bulk Electric System increasingly rely on Cyber Assets supporting critical reliability functions and processes to communicate with each other, across functions and organizations, for services and data. This results in increased risks to these Cyber Assets.